Sureshake
Security

Trust Built on Transparency and Control

Sureshake protects sensitive financial data with layered controls, auditable workflows, and independently verifiable integrity proofs. We believe trust is earned through clear, specific security commitments.

AES-256-GCM
Encryption
Encrypted at rest with KMS-backed key management
Hash + Timestamp
Verification
Only cryptographic proof is anchored on Base
Explicit Grants
Access Model
Owner-controlled sharing with revocation support

Security Overview

Security Review

Need detailed security documentation?

Contact Security

Security Philosophy

At Sureshake, security is a product requirement. We protect sensitive financial records using encryption, least-privilege access controls, and tamper-evident verification workflows.

Security by Design

Security is built into every layer of our platform, from cryptographic design to access controls.

Encryption and Key Scoping

Sensitive data is protected with layered encryption controls

  • AES-256-GCM for sensitive payloads and artifacts
  • AWS KMS-backed envelope encryption patterns
  • Encryption context binding for scoped operations
  • TLS 1.2+ for data in transit

Least-Privilege Access

Authorization checks are enforced before protected data is returned

  • Role-based controls for internal operations
  • Ownership-aware authorization at service boundaries
  • Explicit grant model for sharing protected content
  • Grant expiry and revocation support

Tamper-Evident Verification

Verified content cannot be changed without detection

  • Canonical content hashing for verification
  • On-chain proof anchoring on Base
  • Append-only correction/supersession model
  • Traceable verification history

Credential Protection

Connector tokens and secrets are handled as high-risk material

  • Connector credentials encrypted at rest
  • Scoped key usage for connector contexts
  • Token revocation and connector pause workflows
  • Reauthorization required after compromise response

Privacy by Design

Data handling controls are designed into system behavior

  • Data minimization by default
  • Log and non-production sanitization
  • Controlled processor sharing only
  • No sale of personal data

Infrastructure & Deployment

Our infrastructure is designed for security, reliability, and scale using industry best practices.

AWS Storage and Compute

Operational workloads and report/document storage run on AWS

  • S3-backed report/document storage
  • KMS-backed encryption controls
  • Network isolation and private service boundaries
  • Support for resilience and disaster recovery patterns

Residency-Aware Routing

Data location is controlled by residency configuration

  • US residency as default footprint
  • EU residency support for eligible workloads
  • Region-specific storage and key configuration
  • Explicit handling required for residency migrations

Monitoring and Detection

Security events are monitored for investigation and response

  • Security-sensitive event logging
  • Alerting workflows for critical signals
  • Dependency and vulnerability monitoring
  • Operational telemetry for incident triage

Network and App Protections

Defense-in-depth controls reduce common web and API risks

  • Transport encryption on supported connections
  • Security headers and browser hardening
  • Rate limiting and throttling
  • Layered perimeter controls

Off-Chain + On-Chain Architecture

Financial content remains private while verification stays independently checkable

  • Financial data remains off-chain in controlled infrastructure
  • Only hashes/timestamps and minimal metadata are anchored
  • Optional IPFS-compatible storage for selected encrypted artifacts or metadata references
  • Independent verification without exposing raw financial records

Data Protection

Your data is protected at every stage with encryption, access controls, and comprehensive audit trails.

KMS Envelope Encryption

Scoped key usage and envelope encryption protect sensitive data and artifacts

Tamper-Evident Audit Logs

Security-sensitive actions include integrity signatures and chained references

Verification Anchors

Canonical hashes are anchored on-chain so post-verification edits are detectable

Portability Artifacts

Exportable records and manifests preserve independent verification continuity

Compliance Roadmap

We're committed to achieving and maintaining the highest levels of compliance and certification.

SOC 2 TSC Alignment

In Progress

Control design and operation aligned to SOC 2 Trust Services Criteria

ISO 27001 Control Mapping

In Progress

Security control families mapped to ISO 27001 requirements

NIST CSF Practices

In Progress

Security operations mapped across identify, protect, detect, respond, and recover

Vendor Security Reviews

Achieved

All vendors undergo security assessment before integration

Independent Security Artifacts

Planned

Evidence packs for due diligence reviews under appropriate confidentiality terms

Security FAQ

Privacy Principles

You are not the product

We don't sell, rent, or trade your data. Ever. Our business model is based on providing value through our platform, not monetizing your information.

Data minimization

We only collect information that's necessary to provide our services. If we don't need it, we don't collect it.

Transparency

We explain what is on-chain, what stays off-chain, and how access is controlled.

Your control

You control sharing grants and can export verification artifacts for portability.

Read our full Privacy Policy

Security Team

Our security team is available to discuss your security requirements, provide documentation, or address any concerns.

Security Inquiries

security@sureshake.com

Report Vulnerabilities

Responsible Disclosure